Security and data flow
Dectyl connects with a read-only, least-privilege token and queries in place. Only aggregates, rule metadata, and readiness verdicts cross the boundary. No agents. No log ingestion. No writes. No attacks or simulations. This page shows exactly what crosses and what never does.
Most of the system lives in your environment. Dectyl receives only what a spreadsheet could hold: counts, ratios, rule metadata, and scores.
A small subset of checks, like search-time field extractions an aggregate query cannot see, needs a bounded raw sample. In those cases the sample is reduced to a field-presence result inside your environment before anything egresses. Event contents still never leave.
For the strictest environments we offer an in-environment collector variant: a customer-controlled container runs the queries and computes verdicts inside your boundary, and only verdicts and scores ever leave.
Exactly what the token asks for, and what it never asks for. Lift this straight into your security questionnaire.
| Platform | Read-only scope requested | Never requested |
|---|---|---|
| Splunk | search · rest_properties_get, restricted indexes | edit_* · can_delete · run_collect |
| Sentinel / Defender | Log Analytics Reader · Sentinel Reader · Security Reader | any write or contributor role |
| Chronicle | chronicle.viewer · monitoring.viewer | rule create · retrohunt |
| Elastic | viewer · explicit read on .alerts-security.* | any write privilege |
| CrowdStrike | per-scope READ OAuth clients | write · RTR · attack scopes |
We will go through scopes, egress, and the query layer with your team, and hand over everything the questionnaire needs.